(This story has been updated.)
In the latest incident, an attack targeted about 200 online campus stores in the U.S. and Canada. A malicious skimming script was injected into payment checkout pages, with credit card and personal information skimmed off and sent to a remote server, according to an analysis by Trend Micro.
But the latest incident targeting campus online stores apparently involved a previously unknown group, which Trend Micro calls Mirrorthief. And the security firm says it cannot connect the new group to Magecart.
JS sniffers that target a wide array of e-commerce websites and content systems management platforms are a growing concern because they're so difficult to detect and, even if the code is removed, the attackers can return.
"Much of the tooling we see is complicated, but a lot of it is very simple and can be repackaged by other criminals," Yonathan Klijnsma, a threat researcher at RiskIQ who has been tracking Magecart and skimmer attacks over the last several months, tells Information Security Media Group. "There's been a lot of re-use of the same code."
Most JS sniffer tools work in much the same way as a credit card skimmer. But instead of physically attaching a device to an ATM, a JS sniffer uses a few lines of code injected onto an e-commerce site to skim data that consumers use to buy goods.
The malware costs between $250 and $5,000 to buy on underground forums, according to a recent analysis by Group-IB, a security firm.
JS sniffers can be altered slightly for different types of attacks. For instance, MagentoName is designed to take advantage of vulnerabilities in older versions of the Magento content management system, while the WebRank JS sniffers family injects its malicious code into websites that the attackers target, according to Group-IB.
In the case that Trend Micro examined, the Mirrorthief group injected a script into the payment checkout libraries that are built on a platform called PrismWeb, which is owned by PrismRBS, a company that has contracts with universities and colleges.
The injected script disguises itself as part of the Google Analytics tool to avoid detection, Trend Micro says. Once inside the platform, the first script loads a secondary script, which steals the data. In this attack, the malware is designed to take advantage of flaws in PrismWeb, Trend Micro reports.
"The skimmer collects data only from HTML elements with the specific IDs on PrismWeb's payment form," according to the Trend Micro analysis. "The stolen credit card information includes card number, expiry date, card type, card verification number (CVN), and the cardholder's name. The skimmer also steals personal information like addresses and phone numbers for billing."
The data is later encrypted and sent back to the attacker's server, Trend Micro found.
"A very large portion of the [JS sniffer] attacks are large-scale automated campaigns that discover vulnerable websites, exploit them, and insert a skimmer," Klijnsma says. "However, the recent breach of the university stores is manual. It's a well-picked target and a more sophisticated attack that would be difficult to automate."
The Trend Micro researchers first saw Mirrorthief's activity on April 14, and they notified PrismRBS April 26.
In a statement released to Trend Micro, PrismRBS notes: "Upon learning of this incident, we immediately took action to halt the current attack, initiated an investigation, engaged an external IT forensic firm to assist in our review, and notified law enforcement and payment card companies."
While it's not clear if Mirrorthief borrowed or bought Magecart source code for its operations, it does appear this new group is learning fast.
"The first Magecart group operated from 2014 to 2016 and pioneered the concept of web skimming," Klijnsma says. "The group observed by Trend Micro is one of the newer ones. They've been around for a while but have not been in the skimming business long."
While somewhat modest in scale, Viktor Okorokov, a threat intelligence Analyst at Group-IB, tells ISMG that these Mirrortheft attacks can produce a big return for the attackers.
"Compared to some other families described by Group-IB, Mirrorthief operations are quite modest in terms of scale," Okorokov says. "However, according to the Trend Micro report, they managed to infect about 200 websites. Even one swift JS-sniffer attack on a relatively small number of websites can bring a lot of money to cybercriminals."
Other Platforms, Other Targets
As more cybercriminal gangs make use of JS sniffers, the list of targets is growing.
The Magento platform, which is used by tens of thousands of e-commerce sites, is a favorite targets of these types of skimmers. But a recent RiskIQ analysis shows that other platforms, including OpenCart, Shopify and OSCommerce, are also being targeted.
"Major online stores running these platforms are usually victimized when a platformwide vulnerability comes out that requires immediate patching," according to the RiskIQ analysis. "But the majority of outdated platforms run on smaller, mostly unknown stores. Attackers target plugins installed on these platforms, which are often vulnerable because their developers write code for functionality over security."
In addition, JS sniffer and skimmer attacks are now spreading beyond e-commerce and payment sites to other victims, researchers say.
"Payment data has been the focus for these groups, but we're already seeing moves to skim login credentials and any other kind of sensitive information. This widens the scope of potential victims - and perpetrators - far beyond e-commerce," Klijnsma says.